Many traditional multi-user operating systems associate privileges with user accounts. When a user installs an application, the application runs in the name of the user and inherits the user's ability to access the system resources. However, modern browsers and device operating systems, such as smartphone operating systems, typically treat applications as mutually untrusting, potentially malicious principals. In most cases, applications are isolated except for explicit inter-process, or inter-application, communication (IPC) channels. In addition, applications are often unprivileged by default and may be granted additional privileges, or permissions, by a user. In other words, permission to use devices and access user-private data through system application programming interfaces (APIs) may be granted to individual applications by the user. Consequently, each application has its own set of permissions, as determined by the user.
Although inter-application communication supports useful collaboration between applications, it also introduces the risk of permission re-delegation. Permission re-delegation occurs when an application with permissions performs a privileged task for an application without permissions. The privileged application may be referred to as a deputy application and may wield authority on behalf of the user. While a permission system may often prevent applications from accessing privileged system APIs without user consent, permission re-delegation may circumvent the permission system and allow an unprivileged application to access such privileged system APIs. This undermines the user's right to approve each application's access to privileged devices and data, leaving such devices and data vulnerable to software bugs and data corruption.